Hi, Question: Can a TCP server (running on the same host as the OpenSSH server) know the user id/name of a user forwarding an TCP port ? I.e. if someone on some client machine does ssh -L9999:localhost:9999 someuser@somehost nc localhost 9999 and a service accepts the connection on port localhost:9999 on somehost, can it somehow safely read out the user name "someuser"? Long explanation: We consider using SSH port forwarding as a way to enforce authentication and authorization in an old application (running on Linux) exposing a quite a few TCP connections. On the client side the clients can use OpenSSH client or Putty to make a Socks proxy. If their application framework already supports Socks they do not have to change much to connect. Or something like libssh can be used to include the ssh client side into the application. On the server side the sshd_config can be used to set up allowed ports per user or group. This is, however, not good enough, because the application will not know the original user id, so it can niether log actions, nor allow or block actions not allowed for that particular user. So my question is: Is there any way to let the TCP application server know the user id of the SSH forwarded TCP connection? If no, would it be possible to set up the OpenSSH server to do something special per destination port basis, such as connecting to a UNIX socket instead of a TCP socket or sending the user ID as the first thing on the connection ? (We could use UNIX socket forwarding, but the the client side can't use a Socks, and most other clients such as libssh does not support it either...) Regards, Esben _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev